Uncollected Thoughts on VMware NSX

VMware NSX got it’s official launch this week at VMworld. As a measure of how important VMware regards NSX, the first keynote on the first day is Martin Casado doing the official presentation.

My general view is the NSX is the real deal. I have been talking and writing about OpenFlow since May 2011 and many have complained that SDN isn’t important and I should focus on real network issues. Well, it should now be clear that SDN is a serious strategy issue and we might have been ahead of the market.

The Packet Pushers Podcast have a sponsored podcast with Scott Lowe & Brad Hedlund to be published on Sept 9, 2013. There is a lot of information contained in this show and makes a good accompaniment to this post.

Led by Network Services

To understand NSX, you need to change your perspective on networking. I’ve spent my first decade in network connecting stuff together with activities like switching, routing, Ethernet ports, WAN connections and other obvious network stuff.

The point is that “networking” isn’t just about connecting stuff, it’s about delivering services. Connectivity is a service but so are firewall rules, load balancers, routing. These are ‘services’ that I sell to my ‘customer’. It’s no longer enough for an engineer to plug-in a WAN connection or a patch lead, it’s about the value you can bring from other tasks.

NSX adds to your network. An overlay network doesn’t mean less networking, it’s mean more networking, in more places, with more tools and more visibility. By and large, it doesn’t “replace”, it extends and enhances your existing networks.

VMware NSX provides services. It does not provide connectivity

This is somewhat important. You still need a physical network to connect hypervisors but it’s no longer a requirement to have a complex physical network. You might choose to have a complicated network but it is no longer a requirement.

Looking back

Given what I understand about VMware vCloud and the network overlays, I think I can see the future of the data centre networking moving towards controller based networks.

It’s turned out that I got this more or less right. Although I was missing many pieces, such as how the controller would integrate with the network devices. In April 2011, I recorded Show 40 – Openflow – Upending the Network Industry and it was all lights and buzzers for me. It was immediately obvious what this might mean for network architectures and operations.

I finally got controller networking better defined in August 2012 when I was finally able to spell more of the architecture with an SDN Compass when it became clear that OpenFlow offered a way to integrate the physical network with the controller. It was later when I realised that networking hardware will take a number of years to become capable of performing dynamic flow management. Existing silicon is not flexible enough to handle a flow managed network and will take some years to develop new switches

NSX is an overlay networking technology

I’ve explained Overlay Networking in a three part series of blog post from a vendor agnostic point of view. People tell me that it is a good introduction to the main technical topics.

NSX is more than a virtual switch, it’s a network device

NSX uses the software agent to replace virtual switch in your hypervisor. The virtual switch operates in the kernel of the VMware ESX hypervisor. And from it’s Open vSwitch roots, NSX operates in the kernel of Linux KVM. And because Microsoft has made their Hyper-V virtual switch extensible it’s expected to operate in kernel mode on Hyper-V in the forseeable future.

This makes NSX available on the same platforms as Cisco 1000V virtual switches (the only other widely available virtual switch).

NSX Works on Any Physical Network, Works Better on a Modern Network

VMware promotes that fact that NSX will work on your existing network. The overlay networking design means that IP connectivity between hypervisors is the minimum network requirement. However start making plans for hardware upgrades because you will need more bandwidth for any serious rollout. Networks based on Spanning Tree or MLAG in the Core are likely to be heavily stressed. Not because of the NSX specifically but because of new traffic patterns and loads in the East/West direction.

Also, the introduction Virtual SAN technology in means that NoSAN technology has reached the SMB market and, I believe, signals the end of FibreChannel in the SMB/Midsize market. Because Virtual SAN promotes the use of SSD for caching on spinning rust drives, network performance is going to become vital sometime in 2015 when this grows beyond the current 8 server maximum.

NSX means Less Project Hassle for Funding Network Upgrades

The NSX agent can perform Layer 3 routing, L2 Switching and Stateful Firewalling. All of these functions are distributed through the entire hypervisor fabric with processing performed in the hypervisor kernel. Each new hardware server adds CPU and memory to the network function. In other words, every time a project buys a server, they are also buying the firewall and routing hardware.

You will still need an Ethernet Fabric to move those frames around the data but the majority of your firewalls, IPS/IPS and load balancers will be moved into the hypervisor. Total win!! No more looking for projects to fund hundreds of thousands of dollars for the F5 upgrade or your next ASA upgrade. No more gambling that the current hardware can handle the load. Instead of fighting for funding I can focus on services.

NSX is a Very Much a Services Platform

The overlay network will deliver routing, switching and firewalls. And with the level of network control that is possible in an overlay network, you can deploy dedicated VM appliances for load balancing, proxy servers, mail gateways, VPN concentrators and IDS/IPS. You don’t need to pony up multiple thousands for custom hardware just to stay within the performance parameters of the problem. Services are the same whether they run on custom hardware or an x86 commodity server.

NSX should be Easier to Operate

In terms of operation, NSX is a controller based network technology. The single, coherent view of the virtual network will provide more information to the network engineer. At the same time, replacing the virtual switch with a true networking device means that offering services to the servers and applications has become much easier.

In particular, visibility of the server is much improved. The NSX controller knows the locations of every virtual server and tracks information about the interfaces of that server. The data are roughly equivalent to SNMP data sets and will provide long term charting and graphing similar to your existing network management tool chain. Importantly, as the server moves within the virtual infrastructure the interface is uniquely identified and visible.

Software Defined Data Centre become practical

If you are using cloud tool chains like OpenStack or vCloud Director, you will now have the ability to really change the way your entire infrastructure works through the use of the Software Defined Data Centres. I’ll talk more about SDDC at the SDDC: Software Defined Data Center Symposium 2013 in September so it’s worth tuning in to learn more.

About Greg Ferro

Human Infrastructure for Data Networks. 25 year survivor of Corporate IT in many verticals, tens of employers working on a wide range of networking solutions and products.

Host of the Packet Pushers Podcast on data networking at http://packetpushers.net- now the largest networking podcast on the Internet.

Comments

Greate write up on NSX’s origins, concepts and implications. Very nicely reflects my own take on NSX (not surprising since it’s heavily influenced by you, Ivan and other packet pushers!) and will definitely reference this post when asked what NSX is all about!

so u see customers buying a VMware router instead of a cisco one ? buying a VMware FW instead of a checkpoint one and buying a VMware load-balancer instead of an F5 one, all just because it is easier to automate? if so then indeed all the industry of networking and services for DC can go byebye. if not so then VMware has taken a very risky part to go up the stack to try and provide the OS itself (a FW OS, a switch OS etc). the overlay network can be done using other tunneling protocols, nothing new in this nicira encapsulation.
so maybe we are left with the automation and controller ? if this is the case then just a unification of API is needed to maintain the dominant players in their respected domain.
in any case VMware just added Cisco and Juniper, F5 etc to the list of competitors that they already have like all SP , amazon, Microsoft and oracle. a bold move indeed …

Very nice post! Thanks Greg! Just recently been talking to colleagues about this idea, that NSX is 2nd generation SND approach, which is rather elegant and deploy-able, comparing to 1st gen iterations like Nicira, Midokura Midonet etc. But still I agree, that NSX is ahead of industry with a potential of killing or at least changing many processes in IT departments.